src/PVE/API2/Firewall/Cluster.pm

   1 package PVE::API2::Firewall::Cluster;
   2
   3 use strict;
   4 use warnings;
   5 use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
   6 use PVE::JSONSchema qw(get_standard_option);
   7
   8 use PVE::Firewall;
   9 use PVE::API2::Firewall::Rules;
  10 use PVE::API2::Firewall::Groups;
  11 use PVE::API2::Firewall::IPSet;
  12
  13 #fixme: locking?
  14
  15 use Data::Dumper; # fixme: remove
  16
  17 use base qw(PVE::RESTHandler);
  18
  19 __PACKAGE__->register_method ({
  20     subclass => "PVE::API2::Firewall::Groups",
  21     path => 'groups',
  22 });
  23
  24 __PACKAGE__->register_method ({
  25     subclass => "PVE::API2::Firewall::ClusterRules",
  26     path => 'rules',
  27 });
  28
  29 __PACKAGE__->register_method ({
  30     subclass => "PVE::API2::Firewall::ClusterIPSetList",
  31     path => 'ipset',
  32 });
  33
  34 __PACKAGE__->register_method({
  35     name => 'index',
  36     path => '',
  37     method => 'GET',
  38     permissions => { user => 'all' },
  39     description => "Directory index.",
  40     parameters => {
  41         additionalProperties => 0,
  42     },
  43     returns => {
  44         type => 'array',
  45         items => {
  46             type => "object",
  47             properties => {},
  48         },
  49         links => [ { rel => 'child', href => "{name}" } ],
  50     },
  51     code => sub {
  52         my ($param) = @_;
  53
  54         my $result = [
  55             { name => 'rules' },
  56             { name => 'options' },
  57             { name => 'groups' },
  58             { name => 'ipset' },
  59             { name => 'macros' },
  60             ];
  61
  62         return $result;
  63     }});
  64
  65 my $option_properties = {
  66     enable => {
  67         type => 'boolean',
  68         optional => 1,
  69     },
  70     policy_in => {
  71         description => "Input policy.",
  72         type => 'string',
  73         optional => 1,
  74         enum => ['ACCEPT', 'REJECT', 'DROP'],
  75     },
  76     policy_out => {
  77         description => "Output policy.",
  78         type => 'string',
  79         optional => 1,
  80         enum => ['ACCEPT', 'REJECT', 'DROP'],
  81     },
  82 };
  83
  84 my $add_option_properties = sub {
  85     my ($properties) = @_;
  86
  87     foreach my $k (keys %$option_properties) {
  88         $properties->{$k} = $option_properties->{$k};
  89     }
  90
  91     return $properties;
  92 };
  93
  94
  95 __PACKAGE__->register_method({
  96     name => 'get_options',
  97     path => 'options',
  98     method => 'GET',
  99     description => "Get Firewall options.",
 100     parameters => {
 101         additionalProperties => 0,
 102     },
 103     returns => {
 104         type => "object",
 105         #additionalProperties => 1,
 106         properties => $option_properties,
 107     },
 108     code => sub {
 109         my ($param) = @_;
 110
 111         my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 112
 113         return PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
 114     }});
 115
 116
 117 __PACKAGE__->register_method({
 118     name => 'set_options',
 119     path => 'options',
 120     method => 'PUT',
 121     description => "Set Firewall options.",
 122     protected => 1,
 123     parameters => {
 124         additionalProperties => 0,
 125         properties => &$add_option_properties({
 126             delete => {
 127                 type => 'string', format => 'pve-configid-list',
 128                 description => "A list of settings you want to delete.",
 129                 optional => 1,
 130             },
 131             digest => get_standard_option('pve-config-digest'),
 132         }),
 133     },
 134     returns => { type => "null" },
 135     code => sub {
 136         my ($param) = @_;
 137
 138         my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 139
 140         my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
 141         PVE::Tools::assert_if_modified($digest, $param->{digest});
 142
 143         if ($param->{delete}) {
 144             foreach my $opt (PVE::Tools::split_list($param->{delete})) {
 145                 raise_param_exc({ delete => "no such option '$opt'" })
 146                     if !$option_properties->{$opt};
 147                 delete $cluster_conf->{options}->{$opt};
 148             }
 149         }
 150
 151         if (defined($param->{enable})) {
 152             $param->{enable} = $param->{enable} ? 1 : 0;
 153         }
 154
 155         foreach my $k (keys %$option_properties) {
 156             next if !defined($param->{$k});
 157             $cluster_conf->{options}->{$k} = $param->{$k};
 158         }
 159
 160         PVE::Firewall::save_clusterfw_conf($cluster_conf);
 161
 162         return undef;
 163     }});
 164
 165 __PACKAGE__->register_method({
 166     name => 'get_macros',
 167     path => 'macros',
 168     method => 'GET',
 169     description => "List available macros",
 170     parameters => {
 171         additionalProperties => 0,
 172     },
 173     returns => {
 174         type => 'array',
 175         items => {
 176             type => "object",
 177             properties => {
 178                 macro => {
 179                     description => "Macro name.",
 180                     type => 'string',
 181                 },
 182                 descr => {
 183                     description => "More verbose description (if available).",
 184                     type => 'string',
 185                 }
 186             },
 187         },
 188     },
 189     code => sub {
 190         my ($param) = @_;
 191
 192         my $res = [];
 193
 194         my ($macros, $descr) = PVE::Firewall::get_macros();
 195
 196         foreach my $macro (keys %$macros) {
 197             push @$res, { macro => $macro, descr => $descr->{$macro} || $macro };
 198         }
 199
 200         return $res;
 201     }});
 202
 203 1;